Date Published 19 Feb 19
Dealing with data breaches should be business as usual
In the run up to GDPR, we started to see companies treating customers differently. We
began to see emails warning us about data breaches, with specific news about what the
breach was, what was being done about it and what, if anything, we should do ourselves.
And with Dixons Carphone now admitting that its breach last year actually involved 10 million
customers, many times more than was first believed, the subject remains very much in the
This is only going to accelerate – and if you have set things up properly, managing and
communicating data breaches will become business as usual. However, for most
companies, this is an entirely new area of communications. They don’t always know what to
do about it or how to handle it effectively
Transparency is a cultural issue
Companies are not always used to being transparent in business today. Sharing any
information above what is absolutely necessary is seen as breaking commercial
confidentiality and might even make them feel vulnerable and weak.
But in light of GDPR’s requirements, and the growth of privacy by design and individuals’
data rights, this attitude is quickly becoming outdated.
The successful companies of tomorrow will not just communicate with transparency, but
embed it into their corporate DNA. They will understand that good news has more credibility
when it is in a more realistic context, so communicating the ‘bad news’ of data breaches
quickly and effectively actually has a long-term value.
Understanding the processes
Communicating data breaches confidently and with real transparency requires a number of
processes to be in place.
You must notify any personal data breach to the relevant supervisory authority (in the UK,
the ICO) within 72 hours of becoming aware of it – and also communicate the personal data
breach to the data subject without undue delay.
The notification to the authority needs to describe the nature of the personal data breach
including, where possible, the categories and approximate number of data subjects and
personal data records concerned.
It also has to communicate the name and contact details of the data protection officer or
other contact point where more information can be obtained, describe the likely
consequences of the breach and describe the measures taken or proposed to be taken by
the business to address the personal data breach, including, where appropriate, measures
to mitigate its possible adverse effects.
All this means you need effective processes for becoming aware of breaches quickly,
creating notifications and issuing them promptly.
Breaches can actually help generate trust
As communicating data breaches becomes the new normal, they will actually become an
opportunity. Companies who pass on that information quickly, efficiently and thoroughly,
through a transparent approach to business, will be trusted more readily by customers.
You can meet trust-hub at the GDPR/Data Privacy Conference on May 2019
Please complete the below form